Presentation is loading. Please wait.

Presentation is loading. Please wait.

ECE578/7 #1 Spring 2010 © 2000-2010, Richard A. Stanley ECE578: Cryptography 7: Elliptic Curve Cryptographic Systems Professor Richard A. Stanley, P.E.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ECE578/7 #1 Spring 2010 © 2000-2010, Richard A. Stanley ECE578: Cryptography 7: Elliptic Curve Cryptographic Systems Professor Richard A. Stanley, P.E."— Presentation transcript:

1 ECE578/7 #1 Spring 2010 © 2000-2010, Richard A. Stanley ECE578: Cryptography 7: Elliptic Curve Cryptographic Systems Professor Richard A. Stanley, P.E.

2 ECE578/7 #2 Spring 2010 © 2000-2010, Richard A. Stanley Last time… Elliptic curves may be useful for obtaining keys to use in asymmetric cryptography ECC numbers are an order of magnitude smaller than RSA numbers for equivalent levels of security…we think! Elliptic curves must meet certain requirements to be useful

3 ECE578/7 #3 Spring 2010 © 2000-2010, Richard A. Stanley ECC Drawbacks Not as well studied as RSA and DL-base public-key schemes Conceptually more difficult. Finding secure curves in the set-up phase is computationally expensive

4 ECE578/7 #4 Spring 2010 © 2000-2010, Richard A. Stanley Elliptic Curve Definition

5 ECE578/7 #5 Spring 2010 © 2000-2010, Richard A. Stanley

6 ECE578/7 #6 Spring 2010 © 2000-2010, Richard A. Stanley Objective Goal: Finding a (cyclic) group (G, o) so that we can use the DL problem as a one-way function. We have a set (points on the curve). We “only” need a group operation on the points.

7 ECE578/7 #7 Spring 2010 © 2000-2010, Richard A. Stanley Abelian Groups An abelian group, also called a commutative group, is a group (G, * ) with the additional property that the group operation * is commutative, so that for all a and b in G, a * b = b * a Every cyclic group G is abelian

8 ECE578/7 #8 Spring 2010 © 2000-2010, Richard A. Stanley Elliptic Curves An elliptic curve is a plane curve defined by an equation of the form y 2 = x 3 + ax + b The set of points on such a curve (i.e., all solutions of the equation together with a point at infinity) can be shown to form an abelian group If the x and y are chosen from a large finite field, the solutions form a finite abelian group

9 ECE578/7 #9 Spring 2010 © 2000-2010, Richard A. Stanley Why Bother? For asymmetric cryptosystems, multiplication on elliptic curves can be used instead of exponentiation in finite fields Key sizes seem to increase only linearly for increased security, not exponentially Might this be useful in dealing with issues of computational complexity?

10 ECE578/7 #10 Spring 2010 © 2000-2010, Richard A. Stanley Elliptic Curve Cryptography Symmetric Key Size RSA and Diffie- Hellman Key Size Elliptic Curve Key Size bits 801024160 1122048224 1283072256 1927680384 25615360512

11 ECE578/7 #11 Spring 2010 © 2000-2010, Richard A. Stanley Elliptic Curve Cryptography Security LevelComputation Ratio bitsDH Cost : EC Cost 803:1 1126:1 12810:1 19232:1 25664:1

12 ECE578/7 #12 Spring 2010 © 2000-2010, Richard A. Stanley Diffie-Hellman Key Exchange-1 Alice and Bob agree on a large prime, n and g, where g is primitive mod n. These need not be kept secret Alice chooses a large random integer x and sends to Bob: X=g x mod n Bob chooses a large random integer y and sends to Alice: Y=g y mod n NB: x and y are never transmitted

13 ECE578/7 #13 Spring 2010 © 2000-2010, Richard A. Stanley Diffie-Hellman Key Exchange-2 Alice computes k=Y x mod n Bob computes k’=X y mod n But k = k’ = g xy mod n Therefore, Bob and Alice now have a secret key, k, that they can share for communications Eavesdroppers know only n, g, X, and Y, not x or y, which are required to compute k

14 ECE578/7 #14 Spring 2010 © 2000-2010, Richard A. Stanley Diffie-Hellman Security D-H security depends on the difficulty of factoring large numbers (size of n) It is computationally infeasible to recover x and y from the data known to an eavesdropper by any means other than exhaustive key search Caveats –n must be large –((n-1)/2) should also be prime –g can be small -- even one digit

15 ECE578/7 #15 Spring 2010 © 2000-2010, Richard A. Stanley Diffie-Hellman Key Exchange (ECC) The cryptosystem is completely analogous to D-H in Z * p Setup –Choose E: y 2 = x 3 + ax + b mod p –Choose primitive element α = (x α ; y α )

16 ECE578/7 #16 Spring 2010 © 2000-2010, Richard A. Stanley Protocol

17 ECE578/7 #17 Spring 2010 © 2000-2010, Richard A. Stanley Security

18 ECE578/7 #18 Spring 2010 © 2000-2010, Richard A. Stanley Attacks Only possible attacks against elliptic curves are the Pohlig- Hellman scheme together with Shank's algorithm or Pollard's- Rho method – #E must have one large prime factor p l – 2 160  p l  2 250. So-called “Koblitz curves" (curves with a; b  { 0; 1} For supersingular elliptic curves over GF(2 n ), DL in elliptic curves can be solved by solving DL in GF(2 kn ); k  6 –stay away from supersingular curves despite of possible faster implementations. Powerful index-calculus method attacks are not yet applicable

19 ECE578/7 #19 Spring 2010 © 2000-2010, Richard A. Stanley Menezes-Vanstone Encryption Set-up:

20 ECE578/7 #20 Spring 2010 © 2000-2010, Richard A. Stanley Encryption

21 ECE578/7 #21 Spring 2010 © 2000-2010, Richard A. Stanley Decryption

22 ECE578/7 #22 Spring 2010 © 2000-2010, Richard A. Stanley Disadvantage Message expansion factor: Which means?

23 ECE578/7 #23 Spring 2010 © 2000-2010, Richard A. Stanley Implementation Hardware: –Approximately 0.2 msec for an elliptic curve point multiplication with 167 bits on an FPGA Software: –One elliptic curve point multiplication aP in less than 10 msec over GF(2 155 ). –Implementation on 8-bit smart card processor without coprocessor available

24 ECE578/7 #24 Spring 2010 © 2000-2010, Richard A. Stanley ElGamal Encryption Scheme Published in 1985 Based on the DL problem in Z * p or GF(2 k ) Extension of the D-H key exchange for encryption

25 ECE578/7 #25 Spring 2010 © 2000-2010, Richard A. Stanley El Gamal Protocol

26 ECE578/7 #26 Spring 2010 © 2000-2010, Richard A. Stanley Setup

27 ECE578/7 #27 Spring 2010 © 2000-2010, Richard A. Stanley Encryption

28 ECE578/7 #28 Spring 2010 © 2000-2010, Richard A. Stanley Decryption

29 ECE578/7 #29 Spring 2010 © 2000-2010, Richard A. Stanley How Does It Work?

30 ECE578/7 #30 Spring 2010 © 2000-2010, Richard A. Stanley Remarks

31 ECE578/7 #31 Spring 2010 © 2000-2010, Richard A. Stanley Computational Aspects Encryption Decryption

32 ECE578/7 #32 Spring 2010 © 2000-2010, Richard A. Stanley Efficiency Issues

33 ECE578/7 #33 Spring 2010 © 2000-2010, Richard A. Stanley Efficiency (con’t.)

34 ECE578/7 #34 Spring 2010 © 2000-2010, Richard A. Stanley Security of ElGamal

35 ECE578/7 #35 Spring 2010 © 2000-2010, Richard A. Stanley Security of El Gamal (con’t.)

36 ECE578/7 #36 Spring 2010 © 2000-2010, Richard A. Stanley Summary - ECC Elliptic curves can be used to produce elements in a finite field that are: –More efficient to generate –More difficult to reconstruct with partial data For equivalent security, the key sizes needed with ECC increase linearly; for RSA, they increase exponentially

37 ECE578/7 #37 Spring 2010 © 2000-2010, Richard A. Stanley Next: The Advanced Encryption Standard (AES)

38 ECE578/7 #38 Spring 2010 © 2000-2010, Richard A. Stanley Why a New Crypto Standard? DES now vulnerable to brute force key search 3DES still viable option, but key management a problem Implementation speeds in software disappointing Need to have national crypto standard even more critical than in the 1970’s

39 ECE578/7 #39 Spring 2010 © 2000-2010, Richard A. Stanley Basic Facts about AES Successor to DES AES selection process was administered by NIST Unlike DES, the AES selection was an open (i.e., public) process Likely to be the dominant secret-key algorithm in the next decade Main AES requirements by NIST: –Block cipher with 128 I/O bits –Three key lengths must be supported: 128/192/256 bits –Security relative to other submitted algorithms –Efficient software and hardware implementations

40 ECE578/7 #40 Spring 2010 © 2000-2010, Richard A. Stanley Chronology of the AES Process Development announced on January 2, 1997 by the National Institute of Standards and Technology (NIST) 15 candidate algorithms accepted on August 20th, 1998 5 finalists announced August 9th, 1999 –Mars, IBM Corporation –RC6, RSA Laboratories –Rijndael, J. Daemen & V. Rijmen –Serpent, Eli Biham et al. –Twofish, B. Schneier et al. October 2nd, 2000, NIST chooses Rijndael as the AES

41 ECE578/7 #41 Spring 2010 © 2000-2010, Richard A. Stanley Comparison of Contenders

42 ECE578/7 #42 Spring 2010 © 2000-2010, Richard A. Stanley Blowfish

43 ECE578/7 #43 Spring 2010 © 2000-2010, Richard A. Stanley Twofish

44 ECE578/7 #44 Spring 2010 © 2000-2010, Richard A. Stanley Rijndael Overview

45 ECE578/7 #45 Spring 2010 © 2000-2010, Richard A. Stanley Block Size/Key Length Both block size and keylength of Rijndael are variable. Sizes shown below are the ones required by the AES Standard. The number of rounds (or iterations) is a function of the key length:

46 ECE578/7 #46 Spring 2010 © 2000-2010, Richard A. Stanley Rijndael vs. AES AES utilizes a subset of Rijndael capabilities Rijndael allows block sizes of 192 and 256 bits, but AES does not permit these larger block sizes If larger block sizes are used, the number of rounds must be increased

47 ECE578/7 #47 Spring 2010 © 2000-2010, Richard A. Stanley Important Rijndael does not have a Feistel structure Feistel networks do not encrypt an entire block per iteration (e.g., in DES, 64/2 = 32 bits are encrypted in one iteration) Rijndael encrypts all 128 bits in one iteration. As a consequence, Rijndael has a comparably small number of rounds

48 ECE578/7 #48 Spring 2010 © 2000-2010, Richard A. Stanley Rijndael Structure Rijndael is a substitution-permutation network Rijndael uses three different types of layers Each layer operates on all 128 bits of a block

49 ECE578/7 #49 Spring 2010 © 2000-2010, Richard A. Stanley Rijndael Layers Key Addition Layer: XORing of subkey. Byte Substitution Layer: 8-by-8 SBox substitution. Diffusion Layer: provides diffusion over all 128 (or 192 or 256) block bits. It is split in two sub-layers: –ShiftRow Layer –MixColumn Layer

50 ECE578/7 #50 Spring 2010 © 2000-2010, Richard A. Stanley Operations ByteSubstitution Layer introduces confusion with a non-linear operation. ShiftRow and MixColumn stages form a linear Diffusion Layer

51 ECE578/7 #51 Spring 2010 © 2000-2010, Richard A. Stanley Rijndael Block Diagram (encryption)

52 ECE578/7 #52 Spring 2010 © 2000-2010, Richard A. Stanley A Walk Through Rijndael One must be very careful when using Wikipedia references. However, this one has been vetted and is accurate as at today: http://en.wikipedia.org/wiki/Advanced_Enc ryption_Standardhttp://en.wikipedia.org/wiki/Advanced_Enc ryption_Standard We’ll look at the description of how Rijndael works in some detail

53 ECE578/7 #53 Spring 2010 © 2000-2010, Richard A. Stanley Affine Transformation Mapping between two vector spaces consisting of a linear transformation followed by a translation: X  Ax + b Preserves: –Co linearity between points, i.e., three points which lie on a line continue to be collinear after the transformation –Ratios of distances along a line

54 ECE578/7 #54 Spring 2010 © 2000-2010, Richard A. Stanley Another View of Byte Substitution Splits the incoming 128 bits into 128/8 = 16 bytes. Each byte A is considered an element of GF(2 8 ) and undergoes the following substitution individually: B = A -1  GF(2 8 ) where P(x) = x 8 + x 4 + x 3 + x + 1

55 ECE578/7 #55 Spring 2010 © 2000-2010, Richard A. Stanley Byte Substitution Affine Transformation

56 ECE578/7 #56 Spring 2010 © 2000-2010, Richard A. Stanley All About C The vector C = (c 7 ··· c 0 ) (representing the field element c 7 x 7 + ··· + c 1 x + c 0 ) is the result of the substitution: C = ByteSub(A) The entire substitution can be realized as a look-up in a 256x8-bit table with fixed entries Unlike DES, Rijndael applies the same S-Box to each byte

57 ECE578/7 #57 Spring 2010 © 2000-2010, Richard A. Stanley Diffusion Layer Unlike the non-linear substitution layer, the diffusion layer performs a linear operation on input words A,B. That means: DIFF(A)  DIFF(B) = DIFF(A + B) The diffusion layer consists of two sublayers: –ShiftRow SubLayer –MixColumn SubLayer

58 ECE578/7 #58 Spring 2010 © 2000-2010, Richard A. Stanley ShiftRow SubLayer - 1 Write an input word A as 128/8 = 16 bytes and order them in a square array: Input A = (a 0, a 1, …, a 15 )

59 ECE578/7 #59 Spring 2010 © 2000-2010, Richard A. Stanley ShiftRow SubLayer – 2 Shift cyclically row-wise as follows:

60 ECE578/7 #60 Spring 2010 © 2000-2010, Richard A. Stanley MixColumn SubLayer Principle: each column of 4 bytes is individually transformed into another column How? Each 4-byte column is considered as a vector and multiplied by a 4x4 matrix. The matrix contains constant entries. Multiplication and addition of the coecients is done in GF(2 8 )

61 ECE578/7 #61 Spring 2010 © 2000-2010, Richard A. Stanley MixColumn SubLayer Matrices

62 ECE578/7 #62 Spring 2010 © 2000-2010, Richard A. Stanley Rijndael Keys Analogous to DES, the key provided with AES is a seed key, which is processed within the system to produce round keys The procedure to generate separate round keys from the seed key is known as the Rijndael key schedule

63 ECE578/7 #63 Spring 2010 © 2000-2010, Richard A. Stanley Key Addition Layer Simple bitwise XOR with a 128-bit subkey AES (Rijndael) uses a key schedule to expand a short key into a number of separate round keys. This is known as the Rijndael key schedule. http://en.wikipedia.org/wiki/Rijndael_key _schedulehttp://en.wikipedia.org/wiki/Rijndael_key _schedule

64 ECE578/7 #64 Spring 2010 © 2000-2010, Richard A. Stanley Rijndael Thoughts FIPS PUB 197 is the official standard Based on what you have seen of how encryption proceeds, can decryption proceed in the same way as for DES?

65 ECE578/7 #65 Spring 2010 © 2000-2010, Richard A. Stanley Rijndael Block Diagram (decryption)

66 ECE578/7 #66 Spring 2010 © 2000-2010, Richard A. Stanley Rijndael Decryption Unlike DES and other Feistel ciphers, all of the Rijndael layers must actually be inverted How can this be accomplished?

67 ECE578/7 #67 Spring 2010 © 2000-2010, Richard A. Stanley AES Uses in Defense Systems DES and 3DES were never allowed for transmitting classified information CNSS Policy #15, FS-1, June 2003 states that AES may be used for classified information, subject to FIPS 140-2 –SECRET at all key lengths –TOP SECRET at key lengths of 192 or 256 Issues/problems?

68 ECE578/7 #68 Spring 2010 © 2000-2010, Richard A. Stanley Attacks on AES? What did you find in your homework? Do any of these seem plausible? What about in 10-20 years? AES has been criticized as being too algebraically deterministic. Your thoughts? Spring 2008 © 2000-2008, Richard A. Stanley

69 ECE578/7 #69 Spring 2010 © 2000-2010, Richard A. Stanley AES Summary AES uses a subset of the capabilities of the Rijndael algorithm AES is becoming widely used, and is the default in many common applications A change from many of its predecessors, AES is a substitution-permutation network AES decryption requires a decryption engine to invert the encryption transforms

70 ECE578/7 #70 Spring 2010 © 2000-2010, Richard A. Stanley Homework Read Stinson, Chapter 3.6 Research the topic of elliptic curve cryptography. Choose a cryptosystem and describe its advantages and disadvantages. Is it in wide use? Why or why not? Some researchers have reported breaking AES. Find one or more of these claims and evaluate its significance or lack thereof.

Download ppt "ECE578/7 #1 Spring 2010 © 2000-2010, Richard A. Stanley ECE578: Cryptography 7: Elliptic Curve Cryptographic Systems Professor Richard A. Stanley, P.E."

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Advanced Encryption Standard

Advanced Encryption Standard
Cryptography and Network Security

Cryptography and Network Security
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.

Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard.

Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi.

ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Dr. Lo’ai Tawalbeh 2007 Chapter 5: Advanced Encryption Standard (AES) Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) - 2007 Jordan’s Campus.

Dr. Lo’ai Tawalbeh 2007 Chapter 5: Advanced Encryption Standard (AES) Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus.

Similar presentations

Ads by Google